Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

XCoderTools markets XWorm 6.0 lifetime access on cybercrime forums

Threat Actor Meta
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

XCoderTools reemerged on cybercrime forums to sell XWorm 6.0, showing that the malware ecosystem still has active commercial demand. The build was priced at $500 for lifetime access and promoted as a fully re-coded release that fixes the known RCE flaw. The listing matters because it signals continuity in the XWorm market even after earlier signs that the project had been abandoned.

Related Happenings

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Claude Code leak GitHub Vidar lure campaign

Campaign
First: 02.04.2026 23:30 Last: 02.04.2026 23:30 Sources 1

About this happening: A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...

Open Happening

Anthropic Claude Code source code leak from NPM release

Data Leak
First: 01.04.2026 03:32 Last: 01.04.2026 03:32 Sources 1

About this happening: Anthropic **mistakenly exposed** proprietary **Claude Code** source code through a **NPM** release, allowing the codebase to be reconstructed and spread online. The leak involved...

Latest development: 02.04.2026 23:30

Threat actors are using fake GitHub repositories to exploit the Claude Code source code leak and lure users searching for leaked Claude Code into downloading a 7-Zip archive that launches ClaudeCode_x64.exe and drops Vidar and GhostSocks; Zscaler says the bogus repository is SEO-optimized for Google Search queries like “leaked Claude Code.”

Open Happening

Timeline

  1. 07.10.2025 13:36 2 articles · 7mo ago

    XCoderTools markets XWorm 6.0 lifetime access

    Campaign Scope Update

    XCoderTools offered XWorm 6.0 on cybercrime forums for $500 lifetime access, advertising the build as a fully re-coded version that fixed the known RCE flaw in the XWorm ecosystem.

    Show sources
    Open in new tab
  2. 07.10.2025 13:36 1 articles · 7mo ago

    Trellix details XWorm's modular plugin architecture

    Technical Analysis Update

    Trellix researchers described XWorm as a modular RAT built around a core client and specialized plugins, including more than 35 DLL payloads that can be loaded in memory to steal data, run commands, record webcams, deploy ransomware, and support other host actions. The analysis also linked XWorm 6.0 to phishing emails carrying malicious JavaScript files, decoy PDF content, process injection into RegSvcs.exe, and a C2 server at 94.159.113[.]64 on port 4411.

    Show sources
    Open in new tab